Hello, yes: root@xxxxxx:/var/log# netstat -tuna | grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* udp 0 0 0.0.0.0:514 0.0.0.0:*
<remote> <connection>syslog</connection> <allowed-ips>161.182.xxx.xxx</allowed-ips> <allowed-ips>161.182.xxx.xxx</allowed-ips> </remote> On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: > > Hi, can you verify if the port it’s open? > > [root@wazuh-manager /]# netstat -tuna | grep 514 > udp 0 0 0.0.0.0:514 0.0.0.0:* > > The symantec ip is allowed in ossec.conf right? > > > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com <javascript:> > > On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com <javascript:> ( > eholl...@gmail.com <javascript:>) wrote: > > It's very strange...I have enabled already enabled syslog over 514 from > our symantec server to the OSSEC server, and I see the logs coming into our > ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC > alerts files and do not see the log anywhere on the server... Where should > these logs be written when being sent to the server? I've checked all > gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ > and /var/ossec/logs/alerts/ > > On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: >> >> Hello, >> >> In order to permit Ossec recibe your Symantec syslogs messages, you need >> to enable this in the configuration: >> >> Listen in port 514: >> >> <ossec_config> >> <remote> >> <connection>syslog</connection> >> <allowed-ips>Symantec AV ip</allowed-ips> >> </remote> >> </ossec_config> >> >> then you need to restart ossec: >> >> /var/ossec/bin/ossec-control restart >> >> If after these changes you are still not receiving alerts, enable logall >> in ossec.conf <logall> yes </logall> and take a look in the file >> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but >> not in your alerts, probably the decoders or rules have something wrong. >> >> >> Regards >> ----------------------- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) >> wrote: >> >> Hello All, >> >> I have pointed my Symantec AV logs to our OSSEC server via syslog over >> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I >> have created a custom decoder and parser, and can confirm that it is >> working: >> >> **Phase 2: Completed decoding. >> decoder: 'Symantec' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100006' >> Level: '7' >> Description: 'Symantec: virus found' >> **Alert to be generated. >> >> Do I need to point OSSEC to monitor the incoming syslog so that it can >> alert on it? Again, I am seeing the straight syslog coming into ELSA, but >> no OSSEC alert appears to be generated. >> >> Thanks >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.